On Wed, Apr 17, 2002 at 12:28:37PM -0700, Rick Klement wrote:
> There's already a %dispatch set up for you by perl...
I'd have used it but it just fell into the gaping security hole.
A recent Phrack article pointed out that one of the SOAP/RPC/XML
modules was doing this:
$soap->$tainted_method_name(@args);
where $tainted_method_name was derived from the Outside World.
Because it wasn't doing any checking one could remotely pass in
something like:
I::want::you::to::call::this::method::instead
and it would. Because the method name is absolute it would work. As
long as the method in question doesn't look at it's arguments (as
below) it will run fine. It just so happens that there was a method
which granted authorization which didn't use it's arguments. Ergo,
security hole.
Yes, there are plans to make symbolic refs and dynamic method calls
taint check in 5.8.1.
> while( $vData =~ /\[([A-Z])\]/g ) {
> my $vSub = ucfirst lc $1;
> main->$vSub();
^^^^^^^^^^^^^^
that's a method call which will cause problems if the subroutine looks
at it's arguments. It'll see "main" as the first one.
no strict 'refs';
&$vSub;
instead.
> }
--
Michael G. Schwern <[EMAIL PROTECTED]> http://www.pobox.com/~schwern/
Perl Quality Assurance <[EMAIL PROTECTED]> Kwalitee Is Job One
4 WHEREAS, the siren song of payola issuing from the discordant calliopes
of these gambling vessels has led thousands of Kentucky citizens to vast
disappointment and woe;
-- Kentucky Legislature, HR 256
